Handbook

Introduction
What's New
Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Dashboard
- Widgets
- Dashboard management tools
Security Fabric
- Automation
- Fabric connectors
- External connectors
FortiView
- Logical Topology
- Server Load Balance
- Security
- System
  - Event Logs
  - Automation
- Global Load Balance
  - Host
  - Data Analytics
- Link Load Balance
  - Gateway
- ZTNA FortiClient endpoint
System
- Settings
- Virtual Domain
- High Availability
- Traffic Group
- Administrator
- Global Resources
- WCCP
- SNMP
- Replacement Messages
- FortiGuard
  - Connecting to FortiGuard services
  - Configuring FortiGuard service settings
- Debug
- Certificate
Network
- Interface
- Routing
- NAT
  - Configuring source NAT
  - Configuring 1-to-1 NAT
- QoS
- Packet capture
Shared Resources
- Health Check
- Schedule Group
- Address
- Service
  - Creating service groups
  - Creating service objects
Server Load Balance
- Virtual Server
- Application Resources
- Application Optimization
- Real Server Pool
- Scripting
  - Using HTTP scripting
- SSL-FP Resources
Link Load Balance
- Link Policy
- Link Group
- Virtual Tunnel
Global Load Balance
- GLB Wizard
- FQDN
- Zone Tools
- Global Object
Web Application Firewall
- OWASP TOP10
- WAF Profile
- Known Web Attacks
  - Configuring a Web Attack Signature policy
  - Using the Signature Creation Wizard
- Common Attacks Detection
- Sensitive Data Protection
  - Configuring a Cookie Security policy
  - Configuring an HTTP Header Security policy
- Data Loss Prevention
- Input Validation
- Access Protection
- CORS Protection
- API Protection
- Bot Mitigation
- Web Vulnerability Scanner
Advanced Bot Protection (ABP)
- Enabling the Advanced Bot Protection connector
- Obtaining the Application ID from the FortiGuard ABP User Portal
- Configuring an Advanced Bot Protection policy
- Advanced Bot Protection troubleshooting and debugging
Network Security
- Firewall
- Intrusion Prevention
- AntiVirus
- IP Reputation
- Geo IP Protection
Zero Trust Network Access (ZTNA)
- How device identity and trust context is established with FortiClient EMS
- Configuring FortiClient EMS Connector for ZTNA
- Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- ZTNA troubleshooting and debugging
DoS Protection
- DoS Protection Profile
- Application
- Networking
User Authentication
- Authentication Policy
- User Group
  - Configuring user groups
  - Configuring customized authentication forms
- Local User
- Remote User
- Using Kerberos Authentication Relay
  - Using HTTP Basic SSO
- SAML
  - Configure an SAML service provider
  - Import IDP Metadata
- AD FS Proxy
  - Adding an AD FS Publish
  - Adding an AD FS Proxy
- OAuth 2.0 authentication
Log & Report
- Using the traffic log
- Using the security log
- Using the script log
- Log Setting
- Report Setting
AI Threat Analytics
- AI Threat Analytics troubleshooting and debugging
SSL Advanced Services
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
- HSM Integration
Best Practices and Fine-tuning
- Regular backups
  - Rebooting, resetting, and shutting down the system
  - SCP support for configuration backup
- Security
- Performance tips
- High availability
Troubleshooting
- Logs
- Tools
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Appendices
- Port Numbers
- Scripts
- Maximum Configuration Values
Change Log

Home FortiADC 7.4.3 Handbook

Configuring content routes

7.4.3

Copy Link

Copy Doc ID 452adf09-f14a-11ee-8c42-fa163e15d75b:561482

Download PDF

Configuring content routes

You can use the content routes configuration to select the backend server pool based on matches to TCP/IP or HTTP header values.

Layer 7 content route rules are based on literal or regular expression matches to the following header values:

You might want to use Layer 7 content routes to simplify front-end coding of your web pages or to obfuscate the precise server names from clients. For example, you can publish links to a simple URL named example.com and use content route rules to direct traffic for requests to example.com to a server pool that includes server1.example.com, server2.example.com, and server3.example.com.

Layer 4 content route rules are based on literal or regular expression matches to the following header values:

Source IP address

Before you begin:

You must have a good understanding of HTTP header fields.
You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule matching.
You must have Read-Write permission for Load Balance settings.

After you have configured a content routing rule, you can select it in the virtual server configuration.

Note: You can select multiple content routing rules in the virtual server configuration. Rules you add to that configuration are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool.

To configure a content route rule:

Go to Server Load Balance > Virtual Server.
Click the Content Routing tab.
Click Create New to display the configuration editor.

Enter a name for the Content Routing configuration and select the Type:

Setting	Description
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. You reference this name in the virtual server configuration. Note: After you initially save the configuration, you cannot edit the name.
Type	Layer 4 Layer 7

Setting

Description

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the virtual server configuration.

Note: After you initially save the configuration, you cannot edit the name.

Type

Layer 4
Layer 7

The content routing settings applicable to the selected Type displays.

If the Type is Layer 7, configure the following settings.

Configure the General settings:

Setting	Description
Schedule Pool	Enable to select a schedule pool for content routing. This is disabled by default.
Schedule Pool List	The Schedule Pool List option is available if Schedule Pool is enabled. Select the schedule pool objects.
Real Server Pool	The Real Server Pool option is available if Schedule Pool is disabled. Select the real server pool configuration.
Persistence	The Persistence option is configurable if Inherit (Persistence) is disabled. Select a session persistence type if not inheriting persistence from the virtual server.
Inherit (Persistence)	Enable to use the persistence object specified in the virtual server configuration. This is enabled by default.
Method	The Method option is configurable if Inherit (Method) is disabled. Select a load balancing method type if not inheriting method from the virtual server.
Inherit (Method)	Enable to use the method specified in the virtual server configuration.

Click Save to commit the General settings to the Content Routing configuration.
Once the configuration is saved, the Match Condition (Empty Match Condition will match anything) section becomes configurable.
Under the Match Condition (Empty Match Condition will match anything) section, click Create New to display the configuration editor.

Configure the Match Condition (Empty Match Condition will match anything) settings:

Setting	Description
Object	Select content matching conditions based on the following parameters: HTTP Host Header HTTP Referer Header HTTP Request URL Source IP Address SNI Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions.
Type	The Type option is not available if Object is Source IP Address. String Regular Expression
Content	Specify the string or PCRE syntax to match the header or IP address. Note: An empty match condition matches any HTTP request.
Negative	Enable to rule matches if traffic does not match the expression. This is disabled by default.
Ignore Case	The Ignore Case option is not available if Object is Source IP Address. Enable to allow users to let the match be case sensitive. This is enabled by default.

Click Save to commit the Match Condition configuration and exit from the editor.

If the Type is Layer 4, configure the following settings.

Configure the Specifics settings:
Setting
Description
Source (IPv4) Address/mask notation to match the source IPv4 address in the packet header.
Source (IPv6) Address/mask notation to match the source IPv6 address in the packet header.

Setting	Description
Source (IPv4)	Address/mask notation to match the source IPv4 address in the packet header.
Source (IPv6)	Address/mask notation to match the source IPv6 address in the packet header.

Configure the General settings:

Setting	Description
Schedule Pool	Enable to select a schedule pool for content routing. This is disabled by default.
Schedule Pool List	The Schedule Pool List option is available if Schedule Pool is enabled. Select the schedule pool objects.
Real Server Pool	The Real Server Pool option is available if Schedule Pool is disabled. Select the real server pool configuration.
Persistence	The Persistence option is configurable if Inherit (Persistence) is disabled. Select a session persistence type if not inheriting persistence from the virtual server.
Inherit (Persistence)	Enable to use the persistence object specified in the virtual server configuration. This is enabled by default.
Method	The Method option is configurable if Inherit (Method) is disabled. Select a load balancing method type if not inheriting method from the virtual server.
Inherit (Method)	Enable to use the method specified in the virtual server configuration.
Packet Forward Method	Select the packet forwarding method: Inherit Full NAT
Source Pool List	The Source Pool List option is available if Packet Forward Method is Full NAT. Select the source pool objects for packet forwarding.

Save the configuration.
Once saved, the new Content Routing configuration will be listed in the Content Routing page.

Configuring content routes

You can use the content routes configuration to select the backend server pool based on matches to TCP/IP or HTTP header values.

Layer 7 content route rules are based on literal or regular expression matches to the following header values:

Layer 4 content route rules are based on literal or regular expression matches to the following header values:

Source IP address

Before you begin:

You must have a good understanding of HTTP header fields.
You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule matching.
You must have Read-Write permission for Load Balance settings.

After you have configured a content routing rule, you can select it in the virtual server configuration.

To configure a content route rule:

Go to Server Load Balance > Virtual Server.
Click the Content Routing tab.
Click Create New to display the configuration editor.

Enter a name for the Content Routing configuration and select the Type:

Setting	Description
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. You reference this name in the virtual server configuration. Note: After you initially save the configuration, you cannot edit the name.
Type	Layer 4 Layer 7

Setting

Description

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the virtual server configuration.

Note: After you initially save the configuration, you cannot edit the name.

Type

Layer 4
Layer 7

The content routing settings applicable to the selected Type displays.

If the Type is Layer 7, configure the following settings.

Configure the General settings:

Setting	Description
Schedule Pool	Enable to select a schedule pool for content routing. This is disabled by default.
Schedule Pool List	The Schedule Pool List option is available if Schedule Pool is enabled. Select the schedule pool objects.
Real Server Pool	The Real Server Pool option is available if Schedule Pool is disabled. Select the real server pool configuration.
Persistence	The Persistence option is configurable if Inherit (Persistence) is disabled. Select a session persistence type if not inheriting persistence from the virtual server.
Inherit (Persistence)	Enable to use the persistence object specified in the virtual server configuration. This is enabled by default.
Method	The Method option is configurable if Inherit (Method) is disabled. Select a load balancing method type if not inheriting method from the virtual server.
Inherit (Method)	Enable to use the method specified in the virtual server configuration.

Click Save to commit the General settings to the Content Routing configuration.
Once the configuration is saved, the Match Condition (Empty Match Condition will match anything) section becomes configurable.
Under the Match Condition (Empty Match Condition will match anything) section, click Create New to display the configuration editor.

Configure the Match Condition (Empty Match Condition will match anything) settings:

Setting	Description
Object	Select content matching conditions based on the following parameters: HTTP Host Header HTTP Referer Header HTTP Request URL Source IP Address SNI Note: When you add multiple conditions, FortiADC joins them with an AND operator. For example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is a match only for traffic that meets both conditions.
Type	The Type option is not available if Object is Source IP Address. String Regular Expression
Content	Specify the string or PCRE syntax to match the header or IP address. Note: An empty match condition matches any HTTP request.
Negative	Enable to rule matches if traffic does not match the expression. This is disabled by default.
Ignore Case	The Ignore Case option is not available if Object is Source IP Address. Enable to allow users to let the match be case sensitive. This is enabled by default.

Click Save to commit the Match Condition configuration and exit from the editor.

If the Type is Layer 4, configure the following settings.

Configure the Specifics settings:
Setting
Description
Source (IPv4) Address/mask notation to match the source IPv4 address in the packet header.
Source (IPv6) Address/mask notation to match the source IPv6 address in the packet header.

Setting	Description
Source (IPv4)	Address/mask notation to match the source IPv4 address in the packet header.
Source (IPv6)	Address/mask notation to match the source IPv6 address in the packet header.

Configure the General settings:

Setting	Description
Schedule Pool	Enable to select a schedule pool for content routing. This is disabled by default.
Schedule Pool List	The Schedule Pool List option is available if Schedule Pool is enabled. Select the schedule pool objects.
Real Server Pool	The Real Server Pool option is available if Schedule Pool is disabled. Select the real server pool configuration.
Persistence	The Persistence option is configurable if Inherit (Persistence) is disabled. Select a session persistence type if not inheriting persistence from the virtual server.
Inherit (Persistence)	Enable to use the persistence object specified in the virtual server configuration. This is enabled by default.
Method	The Method option is configurable if Inherit (Method) is disabled. Select a load balancing method type if not inheriting method from the virtual server.
Inherit (Method)	Enable to use the method specified in the virtual server configuration.
Packet Forward Method	Select the packet forwarding method: Inherit Full NAT
Source Pool List	The Source Pool List option is available if Packet Forward Method is Full NAT. Select the source pool objects for packet forwarding.

Save the configuration.
Once saved, the new Content Routing configuration will be listed in the Content Routing page.